CVE-2025-10060 Overview
CVE-2025-10060 is a denial of service vulnerability in MongoDB Server that allows upsert operations retried within a transaction to violate unique index constraints. This improper state management can trigger an invariant failure during transaction commit, resulting in a server crash. The vulnerability stems from improper WriteUnitOfWork state management within the database engine.
Critical Impact
Attackers can remotely crash MongoDB Server instances by exploiting transaction retry logic, causing service disruption without requiring authentication or user interaction.
Affected Products
- MongoDB Server v6.0 versions prior to 6.0.25
- MongoDB Server v7.0 versions prior to 7.0.22
- MongoDB Server v8.0 versions prior to 8.0.12
Discovery Timeline
- September 5, 2025 - CVE-2025-10060 published to NVD
- September 18, 2025 - Last updated in NVD database
Technical Details for CVE-2025-10060
Vulnerability Analysis
This vulnerability affects MongoDB Server's transaction processing mechanism, specifically how upsert operations are handled during retry scenarios. When a transaction containing upsert operations is retried, the WriteUnitOfWork state management fails to properly track and enforce unique index constraints. This leads to a condition where duplicate key violations are not detected until the commit phase, at which point an invariant check fails and causes the server to crash.
The flaw is classified under CWE-672 (Operation on a Resource after Expiration or Release), indicating that the server continues to operate on stale or improperly managed transaction state. This is particularly dangerous in high-availability deployments where transaction retries are common, such as during network partitions or replica set failovers.
Root Cause
The root cause lies in the WriteUnitOfWork state management subsystem within MongoDB's storage engine. During transaction retries, the state tracking for upsert operations does not properly synchronize with unique index constraint validation. When an upsert operation that would normally be deduplicated is retried within the same transaction context, the system fails to recognize that the operation has already been applied, leading to a duplicate entry attempt.
This state management issue occurs because:
- The transaction retry mechanism does not properly reset the WriteUnitOfWork state for previously executed operations
- Unique index constraint checks are deferred until commit time
- The invariant checking code expects a consistent state that is violated by the improper retry handling
Attack Vector
The attack vector for this vulnerability is network-based and does not require authentication or user interaction. An attacker with the ability to send database operations to a vulnerable MongoDB instance can craft transactions containing upsert operations designed to trigger retry conditions. By exploiting network timing or intentionally inducing conditions that cause transaction retries, the attacker can cause the unique index constraint violation that crashes the server.
The vulnerability is triggered when retry conditions occur during upsert operations within multi-document transactions. The timing-based nature of the attack means it may require multiple attempts, but the network accessibility and lack of authentication requirements make it feasible for remote exploitation.
Detection Methods for CVE-2025-10060
Indicators of Compromise
- Unexpected MongoDB server crashes with invariant failure messages in logs
- Log entries containing references to WriteUnitOfWork state errors or unique index violations during transaction commit
- Repeated transaction retry attempts followed by server termination
- Core dumps or crash reports indicating invariant failures in the transaction processing code path
Detection Strategies
- Monitor MongoDB logs for invariant failure messages, particularly those occurring during transaction commit phases
- Implement alerting on unexpected mongod process terminations or restarts
- Track transaction retry rates and correlate with server stability metrics
- Use MongoDB's diagnostic logging to capture detailed transaction state information
Monitoring Recommendations
- Enable verbose logging for transaction operations to capture retry patterns
- Configure process monitoring to detect unexpected mongod crashes and trigger alerts
- Implement health checks that verify database availability and responsiveness
- Monitor system logs for core dumps or segmentation faults from MongoDB processes
How to Mitigate CVE-2025-10060
Immediate Actions Required
- Upgrade MongoDB Server v6.0 installations to version 6.0.25 or later
- Upgrade MongoDB Server v7.0 installations to version 7.0.22 or later
- Upgrade MongoDB Server v8.0 installations to version 8.0.12 or later
- Review application code for patterns that may trigger excessive transaction retries with upsert operations
Patch Information
MongoDB has released patches addressing this vulnerability in the following versions:
- MongoDB Server 6.0.25 for the v6.0 release line
- MongoDB Server 7.0.22 for the v7.0 release line
- MongoDB Server 8.0.12 for the v8.0 release line
For detailed technical information about this issue, refer to the MongoDB Jira Issue SERVER-95524.
Workarounds
- Limit network access to MongoDB instances using firewall rules to reduce exposure to untrusted sources
- Implement application-level rate limiting on transaction retry operations
- Consider temporarily avoiding upsert operations within multi-document transactions until patches can be applied
- Deploy MongoDB instances behind authentication and ensure only authorized clients can execute transactions
# Example: Restrict MongoDB network access using iptables
# Allow connections only from trusted application servers
iptables -A INPUT -p tcp --dport 27017 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 27017 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
